Search Results

Eye of GNOME (aka eog) 3.16.5, 3.17.x, 3.18.x before 3.18.3, 3.19.x,
and 3.20.x before 3.20.4, when used with glib before 2.44.1, allow
remote attackers to cause a denial of service (out-of-bounds write and
crash) via vectors involving passing invalid UTF-8 to GMarkup.

Use-after-free vulnerability in the
nsNodeUtils::NativeAnonymousChildListChange function in Mozilla
Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote
attackers to execute arbitrary code or cause a denial of service (heap
memory corruption) via an SVG element that is mishandled during effect
application.

WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before
9.2.2 allows remote attackers to bypass the Same Origin Policy and
obtain image date from an unintended web site via a timing attack
involving an SVG document.

The _rsvg_css_normalize_font_size function in librsvg 2.40.2 allows
context-dependent attackers to cause a denial of service (stack
consumption and application crash) via circular definitions in an SVG
document.

The nsScannerString::AppendUnicodeTo function in Mozilla Firefox
before 45.0 and Firefox ESR 38.x before 38.7 does not verify that
memory allocation succeeds, which allows remote attackers to execute
arbitrary code or cause a denial of service (out-of-bounds read) via
crafted Unicode data in an HTML, XML, or SVG document.

Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string
parser in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7
allows remote attackers to execute arbitrary code or cause a denial of
service (use-after-free) by leveraging mishandling of end tags, as
demonstrated by incorrect SVG processing, aka ZDI-CAN-3545.

The _rsvg_node_poly_build_path function in rsvg-shapes.c in librsvg
before 2.40.7 allows context-dependent attackers to cause a denial of
service (out-of-bounds heap read) via an odd number of elements in a
coordinate pair in an SVG document.

The (1) AddWeightedPathSegLists and (2)
SVGPathSegListSMILType::Interpolate functions in Mozilla Firefox
before 42.0 and Firefox ESR 38.x before 38.4 lack status checking,
which allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via a crafted
SVG document.

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before
1.24.2, when using HHVM, allows remote attackers to cause a denial of
service (CPU and memory consumption) via a large number of nested
entity references in an (1) SVG file or (2) XMP metadata in a PDF
file, aka a "billion laughs attack," a different vulnerability than
CVE-2015-2937.

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2
allows remote attackers to bypass the SVG filtering and obtain
sensitive user information via a mixed case @import in a style element
in an SVG file, as demonstrated by "@imporT."

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2
does not properly handle when the Zend interpreter xml_parse function
does not expand entities, which allows remote attackers to inject
arbitrary web script or HTML via a crafted SVG file.

Incomplete blacklist vulnerability in includes/upload/UploadBase.php
in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before
1.24.2 allows remote attackers to inject arbitrary web script or HTML
via an application/xml MIME type for a nested SVG with a data: URI.

platform/graphics/filters/FEColorMatrix.cpp in the SVG implementation
in Blink, as used in Google Chrome before 43.0.2357.65, does not
properly handle an insufficient number of values in an feColorMatrix
filter, which allows remote attackers to cause a denial of service
(container overflow) or possibly have unspecified other impact via a
crafted document.

Use-after-free vulnerability in the SVG implementation in Blink, as
used in Google Chrome before 43.0.2357.65, allows remote attackers to
cause a denial of service or possibly have unspecified other impact
via a crafted document that leverages improper handling of a shadow
tree for a use element.

Multiple use-after-free vulnerabilities in the DOM implementation in
Blink, as used in Google Chrome before 41.0.2272.76, allow remote
attackers to cause a denial of service or possibly have unspecified
other impact via vectors that trigger movement of a SCRIPT element to
different documents, related to (1) the
HTMLScriptElement::didMoveToNewDocument function in
core/html/HTMLScriptElement.cpp and (2) the
SVGScriptElement::didMoveToNewDocument function in
core/svg/SVGScriptElement.cpp.

Use-after-free vulnerability in the Element::detach function in
core/dom/Element.cpp in the DOM implementation in Blink, as used in
Google Chrome before 40.0.2214.91, allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors involving pending updates of detached elements.

WebKit in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before
8.0.1 allows remote attackers to bypass the Same Origin Policy via
crafted Cascading Style Sheets (CSS) token sequences within an SVG
file in the SRC attribute of an IMG element.

The QSvg module in Qt, as used in the Mumble client 1.2.x before
1.2.6, allows remote attackers to cause a denial of service (hang and
resource consumption) via a local file reference in an (1) image tag
or (2) XML stylesheet in an SVG file.

Use-after-free vulnerability in the SVG implementation in Blink, as
used in Google Chrome before 37.0.2062.94, allows remote attackers to
cause a denial of service or possibly have unspecified other impact by
leveraging improper caching associated with animation.

The ResourceFetcher::canRequest function in
core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome
before 36.0.1985.125, does not properly restrict subresource requests
associated with SVG files, which allows remote attackers to bypass the
Same Origin Policy via a crafted file.

includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and
1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of
invalid namespaces in SVG files, which allows remote attackers to
conduct cross-site scripting (XSS) attacks via an SVG upload, as
demonstrated by use of a W3C XHTML namespace in conjunction with an
IFRAME element.

Use-after-free vulnerability in the SVG implementation in Blink, as
used in Google Chrome before 35.0.1916.114, allows remote attackers to
cause a denial of service or possibly have unspecified other impact
via vectors that trigger removal of an SVGFontFaceElement object,
related to core/svg/SVGFontFaceElement.cpp.

The SVG filter implementation in Mozilla Firefox before 28.0, Firefox
ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before
2.25 allows remote attackers to obtain sensitive
displacement-correlation information, and possibly bypass the Same
Origin Policy and read text from a different domain, via a timing
attack involving feDisplacementMap elements, a related issue to
CVE-2013-1693.

Use-after-free vulnerability in the SVGImage::setContainerSize
function in core/svg/graphics/SVGImage.cpp in the SVG implementation
in Blink, as used in Google Chrome before 33.0.1750.146, allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via vectors related to the resizing of a view.

The SVGAnimateElement::calculateAnimatedValue function in
core/svg/SVGAnimateElement.cpp in Blink, as used in Google Chrome
before 33.0.1750.117, does not properly handle unexpected data types,
which allows remote attackers to cause a denial of service (incorrect
cast) or possibly have unspecified other impact via unknown vectors.

Use-after-free vulnerability in the RenderSVGImage::paint function in
core/rendering/svg/RenderSVGImage.cpp in Blink, as used in Google
Chrome before 32.0.1700.102, allows remote attackers to cause a denial
of service or possibly have unspecified other impact via vectors
involving a zero-size SVG image.

The SVG implementation in Blink, as used in Google Chrome before
31.0.1650.48, allows remote attackers to cause a denial of service
(out-of-bounds read) by leveraging the use of tree order, rather than
transitive dependency order, for layout.

core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
Blink, as used in Google Chrome before 28.0.1500.71, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.

Use-after-free vulnerability in the SVG implementation in Google
Chrome before 27.0.1453.110 allows remote attackers to cause a denial
of service or possibly have unspecified other impact via unknown
vectors.

Use-after-free vulnerability in the SVG implementation in Google
Chrome before 27.0.1453.93 allows remote attackers to cause a denial
of service or possibly have unspecified other impact via unknown
vectors.

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote
attackers to conduct cross-site scripting (XSS) attacks, as
demonstrated by a CDATA section containing valid UTF-7 encoded
sequences in a SVG file, which is then incorrectly interpreted as
UTF-8 by Chrome and Firefox.

The SVG filter implementation in Mozilla Firefox before 22.0, Firefox
ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR
17.x before 17.0.7 allows remote attackers to read pixel values, and
possibly bypass the Same Origin Policy and read text from a different
domain, by observing timing differences in execution of filter code.

Use-after-free vulnerability in Google Chrome before 25.0.1364.152
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors involving an SVG animation.

Google Chrome before 25.0.1364.97 on Windows and Linux, and before
25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of
service (incorrect memory access) or possibly have unspecified other
impact via a large number of SVG parameters.

Opera before 12.10 follows Internet shortcuts that are referenced by a
(1) IMG element or (2) other inline element, which makes it easier for
remote attackers to conduct phishing attacks via a crafted web site,
as exploited in the wild in November 2012.

Use-after-free vulnerability in Google Chrome before 23.0.1271.64
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors related to the handling of SVG
filters.

Use-after-free vulnerability in the nsTArray_base::Length function in
Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and
SeaMonkey before 2.12 allows remote attackers to execute arbitrary
code or cause a denial of service (heap memory corruption) via vectors
involving movement of a requiredFeatures attribute from one SVG
document to another.

Use-after-free vulnerability in Google Chrome before 22.0.1229.79
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors involving SVG text references.

Use-after-free vulnerability in Google Chrome before 17.0.963.46
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors related to layout of SVG
documents.

Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and
SeaMonkey before 2.6 allow remote attackers to capture keystrokes
entered on a web page, even when JavaScript is disabled, by using SVG
animation accessKey events within that web page.

The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and
SeaMonkey 2.5 does not properly interact with DOMAttrModified event
handlers, which allows remote attackers to cause a denial of service
(out-of-bounds memory access) or possibly have unspecified other
impact via vectors involving removal of SVG elements.

The browser engine in Mozilla Firefox before 8.0 and Thunderbird
before 8.0 does not properly handle links from SVG mpath elements to
non-SVG elements, which allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unspecified vectors.

librsvg before 2.34.1 uses the node name to identify the type of node,
which allows context-dependent attackers to cause a denial of service
(NULL pointer dereference) and possibly execute arbitrary code via a
SVG file with a node with the element name starting with "fe," which
is misidentified as a RsvgFilterPrimitive.

Use-after-free vulnerability in Google Chrome before 18.0.1025.151
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors related to the handling of SVG
resources.

Use-after-free vulnerability in Google Chrome before 17.0.963.65
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors involving SVG animation elements.

Use-after-free vulnerability in Google Chrome before 17.0.963.65
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors related to the handling of SVG
values.

Google Chrome before 14.0.835.202 does not properly handle SVG text,
which allows remote attackers to cause a denial of service or possibly
have unspecified other impact via unknown vectors that lead to "stale
font."

Opera before 11.50 allows remote attackers to cause a denial of
service (application crash) via a gradient with many stops, related to
the implementation of CANVAS elements, SVG, and Cascading Style Sheets
(CSS).

Use-after-free vulnerability in the nsSVGPointList::AppendElement
function in the implementation of SVG element lists in Mozilla Firefox
before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14
allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via vectors involving a
user-supplied callback.

Multiple integer overflows in the SVG Filters implementation in
WebCore in WebKit in Google Chrome before 11.0.696.68 allow remote
attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.

rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome
before 11.0.696.65 does not properly perform a cast of an unspecified
variable during an attempt to handle a block child, which allows
remote attackers to cause a denial of service (application crash) or
possibly have unknown other impact via a crafted text element in an
SVG document.

Integer overflow in the FilterEffect::copyImageBytes function in
platform/graphics/filters/FilterEffect.cpp in the SVG filter
implementation in WebCore in WebKit in Google Chrome before
11.0.696.65 allows remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via
crafted dimensions.

rendering/svg/RenderSVGResourceFilter.cpp in WebCore in WebKit in
Google Chrome before 11.0.696.65 allows remote attackers to cause a
denial of service (application crash) or possibly have unspecified
other impact via a crafted SVG document that leads to a "stale
pointer."

Google Chrome before 10.0.648.204 does not properly handle SVG text,
which allows remote attackers to cause a denial of service or possibly
have unspecified other impact via unknown vectors that lead to a
"stale pointer."

Google Chrome before 10.0.648.127 does not properly handle SVG
cursors, which allows remote attackers to cause a denial of service or
possibly have unspecified other impact via unknown vectors that lead
to a "stale pointer."

Google Chrome before 9.0.597.107 does not properly handle SVG
animations, which allows remote attackers to cause a denial of service
or possibly have unspecified other impact via unknown vectors that
lead to a "stale pointer."

Google Chrome before 9.0.597.107 does not properly perform SVG
rendering, which allows remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via
unknown vectors.

Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do
not properly handle SVG use elements, which allows remote attackers to
cause a denial of service or possibly have unspecified other impact
via unknown vectors that lead to a "stale pointer."

The SVGTextElement.getCharNumAtPosition function in Mozilla Firefox
before 3.6.20, and 4.x through 5; Thunderbird 3.x before 3.1.12 and
other versions before 6; SeaMonkey 2.x before 2.3; and possibly other
products does not properly handle SVG text, which allows remote
attackers to execute arbitrary code via unspecified vectors that lead
to a "dangling pointer."

Use-after-free vulnerability in the nsSVGPathSegList::ReplaceItem
function in the implementation of SVG element lists in Mozilla Firefox
before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14
allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via vectors involving a
user-supplied callback.

Array index error in the FEBlend::apply function in
WebCore/platform/graphics/filters/FEBlend.cpp in WebKit, as used in
Google Chrome before 7.0.517.44, webkitgtk before 1.2.6, and other
products, allows remote attackers to cause a denial of service and
possibly execute arbitrary code via a crafted SVG document, related to
effects in the application of filters.

Google Chrome before 7.0.517.44 does not properly perform a cast of an
unspecified variable during processing of an SVG use element, which
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted SVG document.

WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and
Windows, and before 4.1.3 on Mac OS X 10.4, does not properly perform
a cast of an unspecified variable during processing of colors in an
SVG document, which allows remote attackers to execute arbitrary code
or cause a denial of service (application crash) via a crafted web
site.

Google Chrome before 6.0.472.53 does not properly implement SVG
filters, which allows remote attackers to cause a denial of service or
possibly have unspecified other impact via unknown vectors, related to
a "stale pointer" issue.

Google Chrome before 5.0.375.127, and webkitgtk before 1.2.5, does not
properly handle SVG documents, which allows remote attackers to cause
a denial of service (memory corruption) or possibly have unspecified
other impact via unknown vectors related to state changes when using
DeleteButtonController.

Use-after-free vulnerability in WebKit, as used in Google Chrome
before 6.0.472.59, allows remote attackers to cause a denial of
service or possibly have unspecified other impact via vectors related
to nested SVG elements.

Use-after-free vulnerability in WebKit, as used in Apple iTunes before
10.2 on Windows, Apple Safari, and Google Chrome before 6.0.472.59,
allows remote attackers to execute arbitrary code or cause a denial of
service via vectors related to SVG styles, the DOM tree, and error
messages.

Use-after-free vulnerability in WebKit before r65958, as used in
Google Chrome before 6.0.472.59, allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that trigger use of document APIs such as document.close
during parsing, as demonstrated by a Cascading Style Sheets (CSS) file
referencing an invalid SVG font, aka rdar problem 8442098.

WebKit, as used in Apple Safari before 4.1.3 and 5.0.x before 5.0.3
and Google Chrome before 6.0.472.62, does not properly perform a cast
of an unspecified variable, which allows remote attackers to execute
arbitrary code or cause a denial of service (application crash) via an
SVG element in a non-SVG document.

Multiple use-after-free vulnerabilities in WebKit in Apple Safari
before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before
4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; allow remote
attackers to execute arbitrary code or cause a denial of service
(application crash) via a (1) font-face or (2) use element in an SVG
document.

WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and
Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before
1.2.6; allows remote attackers to execute arbitrary code or cause a
denial of service (memory corruption and application crash) via a use
element in an SVG document.

WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and
Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before
1.2.6; allows remote attackers to execute arbitrary code or cause a
denial of service (memory corruption and application crash) via a
floating element in an SVG document.

Use-after-free vulnerability in WebKit in Apple Safari before 5.0.1 on
Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X
10.4; and webkitgtk before 1.2.6; allows remote attackers to execute
arbitrary code or cause a denial of service (application crash) via a
foreignObject element in an SVG document.

WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and
Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before
1.2.6; accesses uninitialized memory during processing of the (1)
:first-letter and (2) :first-line pseudo-elements in an SVG text
element, which allows remote attackers to execute arbitrary code or
cause a denial of service (application crash) via a crafted document.

Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on
Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X
10.4, allows remote attackers to execute arbitrary code or cause a
denial of service (application crash) via vectors related to the
Cascading Style Sheets (CSS) run-in property and multiple invocations
of a destructor for a child element that has been referenced multiple
times.

WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and
Windows, and before 4.1 on Mac OS X 10.4, does not properly restrict
the reading of a canvas that contains an SVG image pattern from a
different web site, which allows remote attackers to read images from
other sites via a crafted canvas, related to a "cross-site image
capture issue."

WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and
Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption
and application crash) via an SVG document with nested use elements.

Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on
Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X
10.4, allows remote attackers to execute arbitrary code or cause a
denial of service (application crash) via an SVG document that
contains recursive Use elements, which are not properly handled during
page deconstruction.

WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and
Windows, and before 4.1 on Mac OS X 10.4, accesses uninitialized
memory during the handling of a use element in an SVG document, which
allows remote attackers to execute arbitrary code or cause a denial of
service (application crash) via a crafted document containing XML that
triggers a parsing error, related to ProcessInstruction.

Double free vulnerability in WebKit in Apple Safari before 5.0 on Mac
OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4,
allows remote attackers to execute arbitrary code or cause a denial of
service (application crash) via vectors related to an event listener
in an SVG document, related to duplicate event listeners, a timer, and
an AnimateTransform object.

Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and
SeaMonkey before 2.0.3, does not properly support the
application/octet-stream content type as a protection mechanism
against execution of web script in certain circumstances involving SVG
and the EMBED element, which allows remote attackers to bypass the
Same Origin Policy and conduct cross-site scripting (XSS) attacks via
an embedded SVG document.

The getSVGDocument method in Google Chrome before 3.0.195.21 omits an
unspecified "access check," which allows remote web servers to bypass
the Same Origin Policy and conduct cross-site scripting attacks via
unknown vectors, related to a user's visit to a different web server
that hosts an SVG document.

Mozilla Firefox before 3.0.12 does not properly handle an SVG element
that has a property with a watch function and an __defineSetter__
function, which allows remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute
arbitrary code via a crafted document, related to a certain pointer
misinterpretation.

The SVG component in Mozilla Firefox 3.0.4 allows remote attackers to
cause a denial of service (application hang) via a large value in the
r (aka Radius) attribute of a circle element, related to an "unclamped
loop."

Use-after-free vulnerability in the garbage-collection implementation
in WebCore in WebKit in Apple Safari before 4.0 allows remote
attackers to execute arbitrary code or cause a denial of service (heap
corruption and application crash) via an SVG animation element,
related to SVG set objects, SVG marker elements, the targetElement
attribute, and unspecified "caches."

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11,
1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet Explorer
is used and uploads are enabled, or an SVG scripting browser is used
and SVG uploads are enabled, allows remote authenticated users to
inject arbitrary web script or HTML by editing a wiki page.

Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before
3.0.2 allow remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute arbitrary code
via vectors related to graphics rendering and (1) handling of a long
alert messagebox in the cairo_surface_set_device_offset function, (2)
integer overflows when handling animated PNG data in the info_callback
function in nsPNGDecoder.cpp, and (3) an integer overflow when
handling SVG data in the nsSVGFEGaussianBlurElement::SetupPredivide
function in nsSVGFilters.cpp.

Multiple unspecified vulnerabilities in the SVG parsing engine in
Apple Safari 3 Beta for Windows have unspecified remote attack vectors
and impact. NOTE: this issue contains no actionable information, but
it was released by a reliable researcher.

Heap-based buffer overflow in the _cairo_pen_init function in Mozilla
Firefox 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey
before 1.0.8 allows remote attackers to execute arbitrary code via a
large stroke-width attribute in the clipPath element in an SVG file.

The Javascript SVG support in Opera before 9.10 does not properly
validate object types in a createSVGTransformFromMatrix request, which
allows remote attackers to execute arbitrary code via JavaScript code
that uses an invalid object in this request that causes a controlled
pointer to be referenced during the virtual function call.

The NPSVG3.dll ActiveX control for Adobe SVG Viewer 3.02 and earlier,
when running on Internet Explorer, allows remote attackers to
determine the existence of arbitrary files by setting the src property
to the target filename and using Javascript to determine if the web
page immediately stops loading, which indicates whether the file
exists or not.